How to create a security culture in your company in 2019

Get the latest security news in your inbox.

Cybersecurity isn’t just about the computer hardware, software, and networking technicalities that it pertains to. It is also about how human beings behave with computer technology–and what sort of cyber risks that behavior can create. Culture influences behavior, and the security culture of your company can have an immense effect on your cybersecurity. I’ll explain why.

What is security culture?

Every single person in your organization has an effect on your security, from the CEO to the janitor. The security policies and attitudes of each employee towards those policies is your company’s security culture.

Having good security policies is very important. For example, there need to be policies about limiting and monitoring access to your organization’s sensitive data. But if your organization’s attitude is that compliance with those policies doesn’t matter if you don’t get caught, that’s where problems can escalate.

Because human beings are highly social creatures, our behavior is directly influenced by the culture of our groups. That’s what the whole study of sociology is all about. So both policy and attitude are crucial to having a strong security culture.

Best practices for creating a company culture of security

Your organization might be a large government agency, or a manufacturer of vending machines that make consumers a customized hot personal pizza while they watch. But no matter the size, scope, or industry of your company, there are 5 best practices for creating a strong security culture.

Lead by example

Everyone in an organization has an effect on its security culture. We’ve covered this. But people in leadership positions have greater influence because they have authority. Subordinates look to their bosses for direction because their success within an organization depends upon their approval. So, supervisors, managers, and executives play a crucial role. They must make security policies and procedures clear to everyone. They must be accessible and approachable for their teams to ask them about security policies and procedures. And most importantly, they must lead by example. They must abide by those security policies themselves, whether or not they’re being watched. “Do as I say, not as I do” works poorly with children, and it works poorly with employees too. People have an understandable aversion to hypocrisy, and will take their leadership a lot more seriously if they practice what they preach.

Make good practices habit and routine

It’s not only people like network administrators or CISOs that have an effect on an organization’s security. Customer service agents handle sensitive customer data. Janitors can unlock doors and have a direct effect on a building’s physical security. Receptionists see who’s coming and going from a building and often handle sensitive business data as well. Strong security culture is dependent on the understanding that everyone has an effect on security. And security culture is most effective when everyone cooperates as a team to engage in good security practices as a matter of habit and routine. It’s easier and more effective to put the time and effort in at the beginning to make a behavior a habit and routine, than to need to always consciously remember to do something. The effort invested pays off.

Enforce the principle of least privilege

Only people who must have access to specific data or systems in order to do their jobs should have access. This should be designed in your computer networks’ IAM (identity and access management) systems, and is the digital version of “who should have a key to the storage room?” Organizations use all kinds of digital keys, such as passwords and cryptographic certificates. A strong security culture emphasizes the importance of not sharing physical or digital types of keys without going through the proper channels to obtain credentials. That applies as much to user login data as it does to key cards to open doors. Limiting access to the valuable assets and entities of your organization also reduces their cyber-attack surface, and makes theft and tampering less likely too. But it starts with a culture that enforces the principle of least privilege.

Keep software and systems up-to-date

You’d be surprised by how many cyber-attacks are successful without exploiting zero-day vulnerabilities! Timely software and system updates are an important part of maintaining a good security culture because poorly patched software is a lot easier to cyber-attack. This and the previous best practice are discussed in this article on the often-mundane but important aspects of security.

Make security training engaging and bite-sized

Everyone within your organization needs security training at regular intervals. Repetition is key. They should be reminded about phishing and social engineering attacks and how to identify them. Matters of physical security, such as door locks and who to grant physical access to your buildings, can be slotted in here as well. There are some excellent security awareness tips here. One of my favorites is to make security training fun. People retain information much better if they aren’t bored to tears. Gamification is a possible strategy. Gamification is about turning ordinary everyday activities into games. Maybe your employees can be divided into two groups and enjoy a “Family Feud” style trivia contest. Maybe roleplay social engineering attacks and how to detect them. Regardless of your method, keep security training sessions brief because people may lose attention otherwise, reducing the effectiveness.

Security culture framework

A security culture framework is:

a system for creating security culture goals,

implementing activities and procedures toward those goals,

and measuring how successful those actions are in obtaining those goals.

One free and open framework you can explore for potential fit for your organization is Security Culture Framework, created by security culture expert Kai Roer. It explains itself to be “a community site where you can download templates, discuss best practices, share and learn about the Security Culture Framework, and about how to create lasting security culture in your organization.”

Conclusion: right attitudes create right actions

Your organization’s cybersecurity isn’t just about how your computer technology is configured. It’s also about the behavior of everyone in your company since threats may appear in the form of a known and trusted vendor being digitally impersonated to gain access to your vault.

Everyone in your organization needs to be aware of the policies and the risks. They also need the right attitude because right attitudes create right actions. If your organization makes a deliberate and ongoing effort to improve your security culture, the benefits will be felt everywhere.

Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related.
By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.
Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto.
She considers her sociological and psychological perspective on infosec to be her trademark. Given the rapid growth of social engineering vulnerabilities, always considering the human element is vital.